**********************************************************
WINDOWS NT MAGAZINE SECURITY UPDATE
**Watching the Watchers**
The weekly Windows NT security update newsletter brought to you by
Windows NT Magazine and NTsecurity.net
http://www.winntmag.com/update/
**********************************************************

This week's issue sponsored by

Trend Micro -- Your Internet Virus Wall
http://www.antivirus.com/welcome/winnt071499.htm

Symantec
http://www.symantec.com/specprog/sym/11200e.html
(Below Security Roundup)

|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-
January 5, 2000 - In this issue:

1. IN FOCUS
     - Lots of Bark But No Significant Bite

2. SECURITY RISKS
     - AnalogX Server Subject to Buffer Overflow
     - PC-Cillin Subject to Denial of Service
     - CamShot Buffer Overflow
     - CSM Mail Server Denial of Service

3. ANNOUNCEMENTS
     - Enterprise Management Interactive Product Guide
     - Security Poll: Has Your Company Experienced Any Y2K-Related
Problems?

4. SECURITY ROUNDUP
     - News: NT OBJECTives Offers VisualLast for Free
     - News: More than Eight New Viruses Ring in the New Year
     - Clarification: Reflections from 1999 and into 2000

5. NEW AND IMPROVED
     - Access Management for E-Business
     - Strengthen Web-to-Host Security

6. SECURITY TOOLKIT
     - Book Highlight: Microsoft Windows NT 4.0 Essential Reference
Pack
     - Tip: Hiding Unwanted Shares

7. HOT THREADS
     - Windows NT Magazine Online Forums:
        * My Default Admin Share C$ Missing on NT Server
     - Win2KSecAdvice Mailing List:
        * Happy New Year / A Little New Year Rant on Antivirus Software
        * Y2K Bugs Galore
     - HowTo Mailing List:
        * Explorer.exe Exception: Access Violation (0Xc0000005)

~~~~ SPONSOR: TREND MICRO -- YOUR INTERNET VIRUS WALL ~~~~
Think you've seen the REAL Phantom Menace? Imagine a virus attack
holding your network hostage! Protect your empire with Trend's wide
range of antivirus solutions. Trend is a world leader in antivirus
technologies offering protection -- for the Internet gateway, Notes and
Exchange email servers , the desktop and everywhere in between - that
form a protective, virtual VirusWall around your network.
http://www.antivirus.com/welcome/winnt071499.htm
For more information, call 800-228-5651 or click the link above.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Want to sponsor Windows NT Magazine Security UPDATE? Contact Vicki
Peterson (Western and International Advertising Sales Manager) at 877-
217-1826 or vpeterson@winntmag.com, OR Tanya T. TateWik (Eastern
Advertising Sales Manager) at 877-217-1823 or ttatewik@winntmag.com.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1. ========== IN FOCUS ==========

Hello everyone,

Lots of bark and no bite. That's how I'd describe Y2K's effect on
computers and computer-based technologies. I don't know about you, but
I didn't encounter one problem--not on my network, not with my public
utilities, and not with my banking, grocer, or anything else I can
think of. Apparently, all the preparations for Y2K have paid off; I'm
not surprised that the impact seems rather insignificant so far.
   What does amaze me is the fact that my test networks encountered no
Y2K-related problems even though I loaded no Y2K fixes on those test
systems. I thought it might be educational and rather fun to dig out of
any Y2K-induced mayhem, but I suffered a let-down.
   There I was, New Year's Eve, ready to upgrade test systems from
Service Pack 5 (SP5) with no hotfixes to SP6a along with various third-
party patches, but nothing happened to warrant that action. At first, I
felt cheated out of another Ph.D. from the School of Hard Knocks, but
as I sat sipping a glass of champagne just after midnight, I realized I
wasn't cheated at all. Instead, I was taken care of. The fine engineers
and developers at Intel, Microsoft, HP, Dell, Compaq, and countless
other prominent companies have done an excellent job of minimizing
Y2K's impact on technology. I'm truly impressed. Congratulations to
everyone involved in that effort.
   If you're among those people that did suffer technological failures
at the hands of Y2K, I'd like to hear the details. I'd also like to
hear from you if intruders attacked or probed your networks over the
holiday weekend. Happy New Year 2000 and, until next time, have a great
week!

Sincerely,
Mark Joseph Edwards, News Editor
mark@ntsecurity.net

2. ========== SECURITY RISKS =========
(contributed by Mark Joseph Edwards, mark@ntsecurity.net)

* ANALOGX SERVER SUBJECT TO BUFFER OVERFLOW
UssrLabs discovered a buffer overflow condition in the AnalogX Server
that might let arbitrary code run. The problem resides in the code that
handles HTTP GET commands. The vendor is aware of the problem; however,
no fix was available at the time of this writing.
   http://www.ntsecurity.net/go/load.asp?iD=/security/analogx.htm

* PC-CILLIN SUBJECT TO DENIAL OF SERVICE
Daniel Stasinski discovered that Trend Micro's PC-Cillin 6.x has a
feature that helps guard against unwanted Java and ActiveX code. This
feature routes HTTP requests through an internal proxy server on port
8431. The feature lets anyone connect to the port and saturate the
server, thereby causing a denial of service (DoS). According to
Stasinski's report, Trend Micro will correct this problem in the next
version of the software.
   http://www.ntsecurity.net/go/load.asp?iD=/security/pccillin.htm

* CAMSHOT BUFFER OVERFLOW
UssrLabs discovered a buffer overflow condition in the CamShot software
that might let arbitrary code execute on the server. The problem
resides in the code that handles HTTP GET commands, which apparently
contains an unchecked buffer that an intruder can overflow by sending
approximately 2000 characters as the command parameter. The vendor is
aware of this problem but hasn't yet released a fix.
   http://www.ntsecurity.net/go/load.asp?iD=/security/camshot.htm

* CSM MAIL SERVER DENIAL OF SERVICE
UssrLabs discovered a buffer overflow condition in CSM's Mail Server
that might let arbitrary code execute and also provides a mechanism to
launch a denial of service (DoS) attack against the server by sending
approximately 12,000 characters as the parameter for the SMTP HELO
command.
   http://www.ntsecurity.net/go/load.asp?iD=/security/csmmail.htm

3. ========== ANNOUNCEMENTS ==========

* ENTERPRISE MANAGEMENT INTERACTIVE PRODUCT GUIDE
Network managers...save time, enhance performance, and fine-tune your
network. Managing a Windows NT environment is a tough job. Providing
the best service possible and maintaining the delicate balance of
security, performance, availability, and scalability is the key.
Finding the right tool, however, can reduce the time, effort, and
energy it takes to get your job done. For a complete shopping network
of the industry's leading tools and utilities, point your browser to
http://www.winntsolutions.com/enterprise.

* SECURITY POLL: HAS YOUR COMPANY EXPERIENCED ANY Y2K-RELATED PROBLEMS?
We've just launched a new survey that asks whether you suffered any
Y2K-related problems. Stop by our home page and take the quick poll to
let us know how Y2K is affecting your network.
   http://www.ntsecurity.net

4. ========== SECURITY ROUNDUP ==========

* NEWS: NT OBJECTIVES OFFERS VISUALLAST FOR FREE
NT OBJECTives has announced that the company is offering free copies of
its Windows NT audit tool, VisualLast, as a non-profit effort to help
with expected network attacks and other problems related to Y2K. A
complete version of VisualLast became freely available for download on
December 30 and will remain free until midnight of January 14, 2000.
   http://www.ntsecurity.net/go/2c.asp?f=/news.asp?IDF=197&TB=news

* NEWS: MORE THAN EIGHT NEW VIRUSES RING IN THE NEW YEAR
Computer Associates and other vendors have reported no less than eight
new viruses over the past 4 days, all of which affect Windows
platforms. In the days leading up to the new year, numerous entities
warned that many new viruses would be appearing, but so far, new virus
discoveries are only slightly higher than usual. For a list of the new
viruses and links to common antivirus software vendors, be sure to
visit the link below.
   http://www.ntsecurity.net/go/2c.asp?f=/news.asp?IDF=196&TB=news

* CLARIFICATION: REFLECTIONS FROM 1999 AND INTO 2000
In my editorial last week, I mentioned the Chinese government's
handling of two crackers that authorities caught stealing $87,000 from
a Chinese bank. China sentenced the men to death for their actions,
which is cruel and unusual punishment by American standards. I also
mentioned that a Chinese man working in the United States was caught
stealing sensitive nuclear secrets. However, I failed to clarify that
authorities have not yet convicted the man in question. As you well
know, a person is considered innocent in the United States until proven
guilty by due process in a court of law, regardless of the strength of
any available evidence against the accused. Therefore, I offer my
apologies to any readers who were offended by the omission.

~~~~ SPONSOR: SYMANTEC ~~~~
Norton Ghost? 6.0 is the premier tool for Windows 2000 migration, PC
deployment, cloning, and PC recovery. It dramatically reduces IT costs
by streamlining the configuration of networked workstations.
Administrators can restore a system image onto a failed PC in as little
as seven minutes, and reduce PC deployment and upgrade times by 90
percent or more. Click here to order your free trialware!
http://www.symantec.com/specprog/sym/11200e.html

5. ========== NEW AND IMPROVED ==========
(contributed by Carolyn Mascarenas, products@winntmag.com)

* ACCESS MANAGEMENT FOR E-BUSINESS
Gradient Technologies announced NetCrusader/CORBA, access management
software for e-business applications. With NetCrusader/CORBA,
organizations can define and institute granular, selective access to
Common Object Request Broker Architecture (CORBA) applications and
related resources. The software provides security for security-unaware
CORBA applications and fine-grained access for security-aware CORBA
applications. At Level 1 security, NetCrusader/CORBA secures existing
legacy applications without requiring software modifications. At Level
2 security, developers can implement sophisticated, personalized access
without embedding complex security logic in the application.
   NetCrusader/CORBA runs on Windows NT systems. For pricing, contact
Gradient Technologies, 508-624-9600.
   http://www.gradient.com

* STRENGTHEN WEB-TO-HOST SECURITY
ICOM Informatics released Winsurf Mainframe Access (WMA), connectivity
software that now includes the Winsurf Security Server (WSS), which
strengthens secure exchanges between hosts and WMA client workstations
in Internet, intranet, and extranet architectures. Before connecting to
the host, the security server exchanges a digital certificate with the
user workstation to maintain the authenticity of the link. The
encryption process guarantees that only the intended recipient reads
the data. The encryption of the data exchange uses RSA algorithms. The
software digitally signs the data that the emulator and the host
exchange to verify that no one has intercepted or modified the received
or sent information.
   WMA installs on a Windows NT server equipped with Microsoft Internet
Information Server (IIS). For pricing, contact ICOM Informatics, 512-
335-8200.
   http://www.icominfo.com

6. ========== SECURITY TOOLKIT ==========

* BOOK HIGHLIGHT: MICROSOFT WINDOWS NT 4.0 ESSENTIAL REFERENCE PACK
By Microsoft Press
Online Price: $55.95
Softcover
Published by Microsoft Press, December 1999

The Microsoft Windows NT 4.0 Essential Reference Pack contains
indispensable tools, tips, field-tested procedures, and step-by-step
instructions that network administrators and other IT professionals
need to manage NT Server 4.0. The reference pack combines three key
reference books brimming with detailed, dependable information about
administration, management, and security that comes right from the
source--Microsoft. Best of all, you save up to 40 percent off the
retail price of buying all three books separately. The reference pack
is ideal for anyone who wants to:
- Learn how to set up a secure network
- Gain real-world network-management expertise from Microsoft
Consulting Services
- Troubleshoot support issues quickly

For Windows NT Magazine Security UPDATE readers only--Receive an
additional 10 PERCENT off the online price by typing WINNTMAG in the
referral field on the Shopping Basket Checkout page. To order this
book, go to http://www.fatbrain.com/shop/info/0735610096?from=SUT864.

* TIP: HIDING UNWANTED SHARES
(contributed by Mark Joseph Edwards, mark@ntsecurity.net)

I often get questions on how to hide shares on Windows NT systems. To
hide regular resource shares (such as a shared directory), simply
append a dollar sign to the end of the share name. For example, instead
of using TEMP you could use TEMP$. The dollar sign tells NT not to list
these particular shares under normal network browsing operations. Keep
in mind that to connect to a hidden share, a user must know the exact
share name and path because the OS hides that information.
   In addition, NT creates a default set of hidden administrative
shares each time the system boots. These shares map directly to the
root directory on each installed hard disk. For example, you'll find a
C$ share that maps to C:\. These shares are obvious targets for an
attacker.
   To remove the default hidden administrative shares, adjust the
Registry key listed below. If the key doesn't exist, create the key as
defined below. Always back up your Registry before making changes
because improper edits could render the system nonbootable.

   Hive : HKEY_LOCAL_MACHINE
   Key  : \SYSTEM\CurrentControlSet\Services\LanManagerServer\Parameters
   Name : AutoShareServer (use on NT Servers only)
   Name : AutoShareWks (use on NT Workstations only)
   Type : REG_DWORD
   Value: 0

7. ========== HOT THREADS ==========

* WINDOWS NT MAGAZINE ONLINE FORUMS
The following text is from a recent threaded discussion on the Windows
NT Magazine online forums (http://www.winntmag.com/support).

January 01, 2000, 11:16 A.M.
My Default Admin Share C$ Missing on NT Server
My NT Default Admin Shares C$ and D$ are missing on my NT Server. My
ArcServe backup was using these for backing up the server. I think
these Admin Shares (C$/D$) are created automatically by NT Server. How
do I put them back? Thanks

Thread continues at
http://www.winntmag.com/support/Forums/Application/Index.cfm?CFApp=69&Messag
e_ID=83875

* WIN2KSECADVICE MAILING LIST
Each week we offer a quick recap of some of the highlights from the
Win2KSecAdvice mailing list. The following threads are in the spotlight
this week:

1. Happy New Year / A Little New Year Rant on Antivirus Software
http://www.ntsecurity.net/go/w.asp?A2=IND0001A&L=WIN2KSECADVICE&P=92
2. Y2K Bugs Galore
http://www.ntsecurity.net/go/w.asp?A2=IND0001A&L=WIN2KSECADVICE&P=755

Follow this link to read all threads for Jan. Week 1:
   http://www.ntsecurity.net/go/win2ks-l.asp?s=win2ksec

* HOWTO MAILING LIST
Each week we offer a quick recap of some of the highlights from the
"HowTo for Security" mailing list. The following threads are in the
spotlight this week:

1. Explorer.exe Exception: Access Violation (0Xc0000005)
http://www.ntsecurity.net/go/L.asp?A2=IND9912C&L=HOWTO&P=3020

Follow this link to read all threads for Jan. Week 1:
   http://www.ntsecurity.net/go/l.asp?s=howto

|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-

WINDOWS NT MAGAZINE SECURITY UPDATE STAFF
News Editor - Mark Joseph Edwards (mje@winntmag.com)
Ad Sales Manager (Western and International) - Vicki Peterson
(vpeterson@winntmag.com)
Ad Sales Manager (Eastern) - Tanya T. TateWik (ttatewik@winntmag.com)
Editor - Gayle Rodcay (gayle@winntmag.com)
New and Improved – Carolyn Mascarenas (products@winntmag.com)
Editor-at-Large – Jane Morrill (jane@winntmag.com)

|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-

Thank you for reading Windows NT Magazine Security UPDATE

To subscribe, go to http://www.winntmag.com/update or send email to
listserv@listserv.ntsecurity.net with the words "subscribe
securityupdate anonymous" in the body of the message without the quotes

To unsubscribe, send email to listserv@listserv.ntsecurity.net with the
words "unsubscribe securityupdate" in the body of the message without
the quotes.

To change your email address, you must first unsubscribe by sending
email to listserv@listserv.ntsecurity.net with the words "unsubscribe
securityupdate" in the body of the message without the quotes. Then,
resubscribe by going to http://www.winntmag.com/update and entering
your current contact information or by sending email to
listserv@listserv.ntsecurity.net with the words "subscribe
securityupdate anonymous" in the body of the message without the
quotes.

========== GET UPDATED! ==========
Receive the latest information on the NT topics of your choice.
Subscribe to these other FREE email newsletters at
http://www.winntmag.com/sub.cfm?code=up99inxsup.

Windows NT Magazine UPDATE
Windows NT Magazine Thin-Client UPDATE
Windows NT Exchange Server UPDATE
Windows 2000 Pro UPDATE
ASP Review UPDATE
SQL Server Magazine UPDATE

|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-
Copyright 2000, Windows NT Magazine

Security UPDATE Newsletter is powered by LISTSERV software
http://www.lsoft.com/LISTSERV-powered.html